Main Lab

Overview

This module involves solving problems 1-20 on the OverTheWire training challenge "Bandit." After solving these problems we also had to record a video of ourselves walking through each problem.

Objectives

• Solve problems 0-20
• Record four walkthrough videos

---

Part 01 - Problems 0-5

Problem 0

I began by using the command ssh -p 2220 [email protected] to secure shell into bandit.labs.overthewire.org as an account name bandit0 on port 2220. After going through I logged in with the password bandit0.

Problem 0-1

When signed into bandit0 I used the command ls to find a file named readme, which I used the command cat readme to find a string of text, which I presumed to be the password for bandit1.

Password: NH2SXQwcBdpmTEzi3bvBHMM9H66vVXjL

I exited out of my SSH connection, and reconnected with bandit1 and tried this password, which seemed to have worked

Problem 1-2

When in bandit1 I checked the instructions which said the password was in the home directory. I went there using the command cd ~ and used ls to view the files there. I found there was a file named - which made it so I couldn't directly open it with cat - as it would think it was a parameter. In order to go around this I used the command cat <- which worked just fine. I logged out and used this password to log into bandit2

Password: rRGizSaX8Mk1RTb1CNQoXTcYZWU6lgzi

Problem 2-3

After I got into bandit2, I had to open a file that had spaces in the name. In order to do this I used then command cat "spaces in this filename" I then used this password to log into bandit3.

Password: aBZ0W5EmUfAf7kHTQeOwd8bauFJ2lAiG

Problem 3-4

For this problem the password was in a hidden file within the directory inhere which I accessed with the command cd inhere and then used the command ls -a to view the hidden files within the directory. After this I used the command cat .hidden to open the hidden file that contains the password.

Password: 2EW7BBsr6aMMoJ2HjW067dm8EgX26xNe

Problem 4-5

This problem involved opening the inhere directory, and going through some files to find the only one with readable information. I could have gone through all nine files until I came across the one that I could read, but instead I ran the command for x in {0..9}; do file ./-file0$x; done to run the file command that gives me information about each of these files. After finding out that all of them except for file seven contain data, I then used the command cat <-file07 to open file07 and get the password.

Password: lrIWWI6bB37kxfiCQZqUdOIYfr6eEeqR

Part 02 - Problems 6-10

Problem 5-6

I began this part by opening up the inhere folder, and using ls to view the content to find that there is 17 directories each with files that could potentially contain the password. To find the right one I had to find a way of searching for the parameters of the file: human-readable, 1033 bytes in size, and not executable.

In order to search for the correct file, I used the command man find to look through the manual to view the parameters for find. After some scrolling and googling I came across the -size, -type, and -executable options.

Using this I put together the command find -type f -size 1033c ! -executable. After running this I was given the results ./maybehere07/.file2, leading me to the password for the next level.

Password: P4L4vucdmLnm8I7Vl7jG1ApGSfjYKqJU

Problem 6-7

In order to find the password here, I had to find a file that was owned by user bandit7, owned by group bandit6, and 33 bytes in size. To do this I used the find command with the -user and the group parameters. I needed to also start from the root folder by using the location of /. The command came out to find / -user bandit7 -group bandit6 -size 33c. This spat out a whole long list of error messages.

In order to filter through these results more efficiently I tagged on the 2>/dev/null expression on the end to filter out standard error messages. With this final bit my command was find / -user bandit7 -group bandit6 -size 33c 2>/dev/null, which when ran showed me the file bandit7.password.

Password: z7WtoNQU2XfjmMtWA8u5rN4vzqu4v99S

Problem 7-8

The password for this problem was hidden in a file named data.txt next to the word "millionth". Using the command cat data.txt | grep millionth solved this problem quickly.

Password: TESKZC0XvTetK0S9xNwm25STk5iWrBvP

Problem 8-9

For this problem I had to go through data.txt to find the only unique line. In order to do this I looked into the sort command, which allows me to sort through a file. Using the uniq with the -u option lets me filter for only the unique lines.

I then put together the command sort data.txt | uniq -u to find the only unique line in the file.

Password: EN632PlfYiZbn3PhVK3XOGSlNInNE00t

Problem 9-10

This time the password was stored alongside numerous equal signs. When I tried to search for this with the command cat data.txt | grep = it interpreted the equal sign as a expression instead of a string.

I then used cat data.txt to see what exactly the file looked like, which appears to be an amalgamation of both strings and data.

When looking into this and the overthewire hints, I found that using the strings command allows me to print only the printable characters within a file.

I also found that using a ^ sign will allow me to grep for an equal sign where it will not be taken as an expression. Combining this knowledge I ended up with the command cat data.txt | strings | grep ^=, which when used resulted in a couple lines, and only one that seemed like the password I was looking for.

Password: G7w8LIi6J3kTb8A7j9LgrywtEUlyyp6s

Part 03 - Problems 11-15

Problem 10-11

The password for this problem is stored in data.txt but it is encoded in base64. In order to resolve this I looked into the manual for base64 with the command man base64.

Using the parameter -d I was able to decode data.txt. My final command was cat data.txt | base64 -d

Password: 6zPeziLdR2RKNdNYFNb6nVCKzphlXHBM

Problem 11-12

This problem involves a Rot13 Caesar cipher where each value within the data.txt has been rotated by 13 letters. For example "A" would become "N", "B" would become "O", etc. In order to resolve this I referred to the manual page for translate command with man tr.

I first had to use cat to read data.txt, and then I piped on tr '[A-Za-z]' '[N-ZA-Mn-za-m]' to translate the letters 13 spaces up. My final command was cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

Password: JVNBBFSmZwKKOP0XbFXOoW8chDz5yVRv

Problem 12-13

For this problem the answer was hidden within data.txt, which is a hexdump of a file that has been repeatedly compressed. In order to resolve this I had to create a temporary folder with the command mkdir /tmp/isaiah -p. After this I had to copy data.txt to this folder by using the command cp data.txt /tmp/isaiah. I then navigated to my new folder with cd /tmp/isaiah and used the command xxd -r data.txt > firstconversion to convert and save data.txt as a file named firstconversion. I then used the command file firstconversion to view the file information about the newly converted file.

After this I had to unzip the compressed file. I started by creating a file with the .gz extension with mv firstconversion secondconversion.gz. After this I used the command gunzip secondconversion.gz to unzip the file.

Seeing that this time it was compressed with bzip2, I used the command mv secondconversion thirdconversion.bz2, and then used the command bzip2 -d thirdconversion.bz2 to uncompress it once more. Once again I ran file thirdconversion to view the type of data, which was another gzip file. I repeated the last steps for the gzip conversion on the thirdconversion file.

After this there was a tar compression. Once again I used the command mv fourthconversion fifthconversion.tar and after this used the command tar -xf fifthconversion.tar This spat out data5.bin.

Once again this was another tar compression, so I used mv data5.bin data5.tar to save it as a tar file, and used tar -xf data5.tar which gave me data6.bin.

Once again there was another bzip conversion, so I repeated my steps above.

This gave me yet another tar conversion to do.

Which gave me another gzip conversion.

With this conversion I finally reached the end of the rabbit hole, giving me the password.

Password: wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw

Problem 13-14

For this level, the password was stored on a /etc/bandit_pass/bandit14 which can only be read by user bandit14. When I got into bandit13, I used ls to see that there was a file called sshkey.private, which I presumed to be the private SSH key that the overthewire website was referring to. After looking into the problem I found that using the parameter -i allows me to use an identity file to log into the server. With this I used the command ssh -i sshkey.private bandit14@localhost to use sshkey.private to log in locally on this remote computer. This threw me an error saying that remote connecting on port 22 was not intended.

In order to get around this I moved the sshkey.private to my laptop using the command scp -P 2220 [email protected]:sshkey.private . The command scp is used to SSH and transfer data over the network. In my case I remote connect, and transfer the file over to my laptop.

I then was able to use the command ssh -i sshkey.private -p 2220 [email protected] to remote connect to bandit14. I then used the command cat /etc/bandit_pass/bandit14 to get bandit14's password.

Password: fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq

Problem 14-15

The password for this level can be found by submitting the password of the current level to port 30000 on localhost. I ran the command nc localhost 30000 to connnect to port 30000 on localhost, where I then put in the bandit14's password, fGrHPx402xGC7U7rXKDaxiWFTOiF0ENq, which gave me the password for bandit15.

Password: jN2kgmIXJ6fShzhT2avhotn4Zcka6tnt

Part 04 - Problems 16-20

Problem 15-16

For this problem, the password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption. I started by looking into the commands I might need for the next level, where I came across the openssl command. After looking into the syntax I ran the command openssl s_client -connect localhost:30001 to connect to the port 30001. This spat out a whole bunch of information and hex dumps, and then came to an area that looks like it takes input. I submitted the password for bandit15 here which gave me the answer for the next password.

Password: JQttfApK4SeyHwDlI9SXGR50qclOAil1

Problem 16-17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. I had to find out which of these ports have a server listening on them, and then find out which of those speak SSL and which don’t. There should only be one server that fits these credentials. In order to do this I had to use nmap to scan the networks ports. I used the flag -p to scan from ports 31000 to 32000 and then the flag -sV to set a service/version detection scan. Running the command nmap -sV localhost -p 31000-32000 took a while but the results gave me two ports that were using ssl, port 31518 and port 31790.

With port 31518 running echo, it seems like 31790 was gonna be my winner. Using the command openssl s_client -connect localhost:31790 to connect to this port (similarly to last problem,) I was able to submit my password for bandit16, which gave me a private ssh key that I could use to connect to bandit17. After this I had to make a key file out of the RSA private key by copying the RSA key into a file called private.key, which I opened in Vi and pasted the RSA key in. After this I used chmod 400 private.key and then used the command ssh -i private.key -p 2220 bandit17@localhost. After getting in I used the command cat /etc/bandit_pass/bandit17 to get the password for bandit17.

Password: VwOSWtCA7lRKkTfbr2IDh6awj9RNZM5e

RSA Private Key:

`-----BEGIN RSA PRIVATE KEY-----

MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama +TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT 8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM 77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3 vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=

-----END RSA PRIVATE KEY-----`

Problem 17-18

For this problem there are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new. The command diff suggested in the hints is the solution to this problem as it is used to find this exactly. Using the command diff passwords.old passwords.new spits out the results:

42c42 < p6ggwdNHncnmCNxuAt0KtKVq185ZU7AW --- > hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

This shows that the the line with p6ggwdNHncnmCNxuAt0KtKVq185ZU7AW in passwords.old has been replaced with hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg in passwords.new.

Password: hga5tuuCLF6fFzUpnagiMN8ssu9LFrdg

Problem 18-19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log me out each time I log in with SSH.

In order to resolve this, I have to simply remotely run commands through SSH. I used the command ssh [email protected] -p 2220 ls to remotely run the ls command. This shows me that there is a file called readme in the home directory. After this I use the command ssh [email protected] -p 2220 cat readme to read the file called readme, which gave me my password.

Password: awhqfNnAbc1naukrpqDYcF95h7HoMTrC

Problem 19-20

For this problem, the password is hidden in the typical /etc/bandit_pass/bandit20 location, but once again I cannot access it as bandit19. There is a file within the home directory called bandit20-do, and when checking permissions with ls -la shows that the file is owned by the user bandit20, and the group bandit19. Running the file tells me that it essentially runs a command as another user, running the command ./bandit20-do id shows that it is running as the effective user id of bandit20. I then use the command ./bandit20-do cat /etc/bandit_pass/bandit20 which spits out my password for bandit20.

Password: VxCazJaVykI6W36BkBU0mJTCM8rR95XT

After successfully logging into bandit 20, I had completed my assigned problems.

---

Recordings